LoFP / geo-ip and asn enrichment updates can occasionally shift how a stable egress is labeled, creating a one-time \"new\" tuple.

Techniques

• T1078

Sample rules

Entra ID Service Principal with Unusual Source ASN

• source: elastic
• technicques:
  • T1078

Description

Identifies Entra ID service principal sign-ins where the workload identity and source autonomous system number (ASN) together have not appeared in recent history. Attackers who obtain application secrets or tokens often authenticate from unfamiliar hosting providers, residential or VPN egress, or networks outside normal automation footprints, which can precede data access, lateral movement, or ransomware activity in the tenant. The detection emphasizes first-seen network context for non-interactive workload identities.

Detection logic

event.dataset:azure.signinlogs
    and azure.signinlogs.category:ServicePrincipalSignInLogs
    and azure.signinlogs.properties.status.error_code:0
    and azure.signinlogs.properties.service_principal_id:*
    and source.as.number:*
    and not source.as.organization.name:(*MICROSOFT* or *Microsoft*)
    and not azure.signinlogs.properties.app_owner_tenant_id:(72f988bf-86f1-41af-91ab-2d7cd011db47 or f8cdef31-a31e-4b4a-93e4-5f571e91255a)